FFUF (Fuzz Faster U Fool)
Fast web fuzzer written in Go. Extremely versatile for directory brute forcing, parameter fuzzing, virtual host discovery, and more.
Installation
# Kali Linux (pre-installed)
apt install ffuf
# Go install
go install github.com/ffuf/ffuf/v2@latest
# GitHub release
wget https://github.com/ffuf/ffuf/releases/download/v2.1.0/ffuf_2.1.0_linux_amd64.tar.gz
tar -xzvf ffuf_2.1.0_linux_amd64.tar.gz
Basic Usage
Directory/File Fuzzing
# Basic directory fuzzing
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
# File extension fuzzing
ffuf -u http://target.com/FUZZ -w wordlist.txt -e .php,.html,.txt,.asp,.aspx
# Multiple FUZZ keywords
ffuf -u http://target.com/FUZZ.FUZ2Z -w wordlist.txt:FUZZ -w extensions.txt:FUZ2Z
Output Filtering
# Filter by status code
ffuf -u http://target.com/FUZZ -w wordlist.txt -fc 404
# Match status codes
ffuf -u http://target.com/FUZZ -w wordlist.txt -mc 200,301,302
# Filter by response size
ffuf -u http://target.com/FUZZ -w wordlist.txt -fs 4242
# Filter by word count
ffuf -u http://target.com/FUZZ -w wordlist.txt -fw 100
# Filter by line count
ffuf -u http://target.com/FUZZ -w wordlist.txt -fl 50
# Filter by regex
ffuf -u http://target.com/FUZZ -w wordlist.txt -fr "error|not found"
# Match regex
ffuf -u http://target.com/FUZZ -w wordlist.txt -mr "admin|config"
Performance Options
# Number of threads
ffuf -u http://target.com/FUZZ -w wordlist.txt -t 200
# Rate limiting (requests per second)
ffuf -u http://target.com/FUZZ -w wordlist.txt -rate 100
# Request delay
ffuf -u http://target.com/FUZZ -w wordlist.txt -p 0.1-2.0
# Timeout
ffuf -u http://target.com/FUZZ -w wordlist.txt -timeout 10
Advanced Fuzzing
GET Parameter Fuzzing
# Fuzz GET parameter name
ffuf -u http://target.com/?FUZZ=value -w params.txt
# Fuzz GET parameter value
ffuf -u http://target.com/?id=FUZZ -w values.txt
# Multiple parameters
ffuf -u "http://target.com/?name=FUZZ&id=FUZ2Z" -w names.txt:FUZZ -w ids.txt:FUZ2Z
POST Data Fuzzing
# Fuzz POST data
ffuf -u http://target.com/login -w wordlist.txt -X POST -d "username=admin&password=FUZZ"
# Fuzz parameter name
ffuf -u http://target.com/api -w params.txt -X POST -d "FUZZ=value" -H "Content-Type: application/x-www-form-urlencoded"
# JSON POST fuzzing
ffuf -u http://target.com/api -w wordlist.txt -X POST -d '{"username":"FUZZ"}' -H "Content-Type: application/json"
Header Fuzzing
# Fuzz header value
ffuf -u http://target.com -w wordlist.txt -H "X-Forwarded-For: FUZZ"
# Fuzz User-Agent
ffuf -u http://target.com -w useragents.txt -H "User-Agent: FUZZ"
# Fuzz custom header
ffuf -u http://target.com/FUZZ -w wordlist.txt -H "Authorization: Bearer token123"
# Fuzz header name
ffuf -u http://target.com -w headers.txt -H "FUZZ: value"
Virtual Host Discovery
# VHost fuzzing
ffuf -u http://target.com -w wordlist.txt -H "Host: FUZZ.target.com"
# Filter common false positives
ffuf -u http://target.com -w wordlist.txt -H "Host: FUZZ.target.com" -fs 4242
# With IP address
ffuf -u http://10.10.10.10 -w wordlist.txt -H "Host: FUZZ.target.com"
Subdomain Enumeration
# Subdomain fuzzing via Host header
ffuf -u http://target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.target.com" -fs 0
# Direct DNS resolution
ffuf -u http://FUZZ.target.com -w wordlist.txt -mc 200
Recursive Fuzzing
# Two-level recursion
ffuf -u http://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2
# Recursive with extensions
ffuf -u http://target.com/FUZZ -w wordlist.txt -e .php -recursion -recursion-depth 1
# Control recursion strategy
ffuf -u http://target.com/FUZZ -w wordlist.txt -recursion -recursion-strategy greedy
Authentication
Basic Authentication
# Basic auth
ffuf -u http://target.com/FUZZ -w wordlist.txt -auth username:password
# Fuzz credentials
ffuf -u http://target.com -w users.txt:USER -w passwords.txt:PASS -auth USER:PASS
Cookie-Based Authentication
# Static cookie
ffuf -u http://target.com/FUZZ -w wordlist.txt -b "session=abc123"
# Multiple cookies
ffuf -u http://target.com/FUZZ -w wordlist.txt -b "session=abc123; token=xyz789"
# Fuzz cookie value
ffuf -u http://target.com -w sessions.txt -b "PHPSESSID=FUZZ"
Token-Based Authentication
# Bearer token
ffuf -u http://target.com/api/FUZZ -w endpoints.txt -H "Authorization: Bearer token123"
# API key
ffuf -u http://target.com/api/FUZZ -w endpoints.txt -H "X-API-Key: key123"
Output Options
Output Formats
# JSON output
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.json -of json
# CSV output
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.csv -of csv
# HTML output
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.html -of html
# Markdown output
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.md -of md
# All formats
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results -of all
Verbosity Control
# Verbose output
ffuf -u http://target.com/FUZZ -w wordlist.txt -v
# Silent mode (only results)
ffuf -u http://target.com/FUZZ -w wordlist.txt -s
# No color
ffuf -u http://target.com/FUZZ -w wordlist.txt -noninteractive
SSL/TLS Options
# Skip certificate validation
ffuf -u https://target.com/FUZZ -w wordlist.txt -k
# HTTP/2
ffuf -u https://target.com/FUZZ -w wordlist.txt -http2
Proxy Support
# HTTP proxy
ffuf -u http://target.com/FUZZ -w wordlist.txt -x http://127.0.0.1:8080
# SOCKS proxy
ffuf -u http://target.com/FUZZ -w wordlist.txt -x socks5://127.0.0.1:1080
# Replay traffic through Burp
ffuf -u http://target.com/FUZZ -w wordlist.txt -x http://127.0.0.1:8080 -replay-proxy http://127.0.0.1:8080
Advanced Techniques
Multi-Stage Fuzzing
# Stage 1: Find directories
ffuf -u http://target.com/FUZZ -w dirs.txt -mc 200,301,302 -o dirs.json -of json
# Stage 2: Fuzz files in found directories (manual example)
ffuf -u http://target.com/admin/FUZZ -w files.txt -e .php,.html
Combining with Other Tools
# Extract URLs from ffuf and pass to other tools
ffuf -u http://target.com/FUZZ -w wordlist.txt -mc 200 -o - -of json | jq -r '.results[].url'
# Chain with curl
ffuf -u http://target.com/FUZZ -w wordlist.txt -mc 200 -s | while read url; do curl -s "$url"; done
Custom Wordlist Generation
# Generate numeric range
seq 1 1000 > numbers.txt
ffuf -u http://target.com/user/FUZZ -w numbers.txt
# Generate with crunch (external tool)
crunch 4 4 -t @@%% | ffuf -u http://target.com/code/FUZZ -w -
Auto-Calibration
# Auto-calibration mode
ffuf -u http://target.com/FUZZ -w wordlist.txt -ac
# Auto-calibration with filtering
ffuf -u http://target.com/FUZZ -w wordlist.txt -ac -acc 95
Practical Workflows
Web Application Discovery
# Phase 1: Common directories
ffuf -u http://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,301,302,403 -t 100
# Phase 2: Medium wordlist with extensions
ffuf -u http://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -e .php,.html,.txt -mc 200,301,302 -t 50
# Phase 3: API endpoints
ffuf -u http://target.com/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt -mc 200
Parameter Discovery
# GET parameter names
ffuf -u http://target.com/?FUZZ=test -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fs 0
# POST parameter names
ffuf -u http://target.com/search -w params.txt -X POST -d "FUZZ=value" -H "Content-Type: application/x-www-form-urlencoded" -fs 0
SQL Injection Testing
# Parameter value fuzzing with SQLi payloads
ffuf -u "http://target.com/user?id=FUZZ" -w /usr/share/seclists/Fuzzing/SQLi/quick-SQLi.txt -mr "error|mysql|sql|database"
# POST parameter SQLi
ffuf -u http://target.com/login -w sqli-payloads.txt -X POST -d "username=admin&password=FUZZ" -mr "error|syntax"
XSS Detection
# XSS payload fuzzing
ffuf -u "http://target.com/search?q=FUZZ" -w /usr/share/seclists/Fuzzing/XSS/XSS-Jhaddix.txt -mr "<script|alert|onerror"
# Reflected XSS in headers
ffuf -u http://target.com -w xss-payloads.txt -H "Referer: FUZZ" -mr "<script"
LFI/Path Traversal
# Path traversal fuzzing
ffuf -u "http://target.com/file?path=FUZZ" -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -mr "root:|passwd"
# Null byte injection
ffuf -u "http://target.com/include?file=FUZZ%00.php" -w lfi-wordlist.txt -mc 200
Rate Limit Testing
# Test rate limiting
ffuf -u http://target.com/api/endpoint -w <(seq 1 1000) -H "X-API-Key: key123" -rate 10 -fc 429
Common Use Cases
Finding Admin Panels
ffuf -u http://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -e .php,.asp,.aspx,.jsp -mc 200,301,302,403 | grep -i admin
Backup File Discovery
ffuf -u http://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -e .bak,.backup,.old,.zip,.tar.gz,.sql -mc 200
API Endpoint Discovery
ffuf -u http://target.com/api/v1/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt -mc 200,201,204 -H "Content-Type: application/json"
Configuration File Hunting
ffuf -u http://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e .conf,.config,.xml,.json,.yml,.yaml,.ini,.env -mc 200
Useful Wordlists
General Discovery
/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
/usr/share/seclists/Discovery/Web-Content/raft-large-files.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
Parameters
/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
/usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt
Fuzzing Payloads
/usr/share/seclists/Fuzzing/SQLi/quick-SQLi.txt
/usr/share/seclists/Fuzzing/XSS/XSS-Jhaddix.txt
/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
/usr/share/seclists/Fuzzing/command-injection-commix.txt
Tips and Best Practices
Performance Tuning
# Fast scan (careful with rate limiting)
ffuf -u http://target.com/FUZZ -w wordlist.txt -t 200 -rate 500
# Balanced scan
ffuf -u http://target.com/FUZZ -w wordlist.txt -t 100 -rate 100
# Slow/stealthy scan
ffuf -u http://target.com/FUZZ -w wordlist.txt -t 10 -rate 10 -p 1-2
Reducing False Positives
# Auto-calibration
ffuf -u http://target.com/FUZZ -w wordlist.txt -ac
# Multiple filters
ffuf -u http://target.com/FUZZ -w wordlist.txt -fc 404 -fs 0,4242 -fw 100
# Regex filtering
ffuf -u http://target.com/FUZZ -w wordlist.txt -fr "not found|error 404"
Memory Management
# Limit memory usage for large wordlists
ulimit -v 2000000 # 2GB limit
ffuf -u http://target.com/FUZZ -w huge-wordlist.txt
Comparison with Other Tools
| Feature | FFUF | Gobuster | Wfuzz | Dirb |
|---|---|---|---|---|
| Speed | Very Fast | Fast | Medium | Slow |
| Flexibility | Excellent | Good | Excellent | Limited |
| Filtering | Advanced | Basic | Advanced | Basic |
| Learning Curve | Medium | Easy | Medium | Easy |
| Active Development | Yes | Yes | Yes | No |
Common Errors and Solutions
Rate Limiting (429)
Connection Timeouts
Too Many Results
# Apply filters or auto-calibration
ffuf -u http://target.com/FUZZ -w wordlist.txt -ac -fc 404 -fs 0
Integration Examples
With Burp Suite
# Send all traffic through Burp
ffuf -u http://target.com/FUZZ -w wordlist.txt -x http://127.0.0.1:8080
With jq for JSON Processing
# Extract specific data from JSON output
ffuf -u http://target.com/FUZZ -w wordlist.txt -o results.json -of json
cat results.json | jq -r '.results[] | select(.status==200) | .url'
Scripting Integration
#!/bin/bash
# Automated fuzzing script
targets=("http://site1.com" "http://site2.com")
for target in "${targets[@]}"; do
echo "Fuzzing $target"
ffuf -u "$target/FUZZ" -w wordlist.txt -mc 200,301 -o "results-${target//[:\/]/_}.json" -of json -s
done